Cryptographic Random Number Generator Using Finite Field Operations

ABSTRACT

An apparatus and method are provided in various illustrative embodiments for an integrated circuit chip that provides a fast, compact, and cryptographically strong random number generator. In one illustrative embodiment, an apparatus includes an initial random source, and a post-processing block in communicative connection with the initial random source. The post-processing block is configured to receive signals from the initial random source, to apply one or more finite field operations to the signals to generate an output, and to provide an output signal based on the output via an output channel, in this illustrative embodiment.

REFERENCE TO RELATED APPLICATION

This application is a continuation of and claims priority from U.S.application Ser. No. 11/821,212, filed on Jun. 22, 2007, with a title ofCRYPTOGRAPHIC RANDOM NUMBER GENERATOR USING FINITE FIELD OPERATIONS.

FIELD OF THE DISCLOSURE

The present disclosure relates to electrical circuits, such assemiconductor integrated circuits. More particularly, the presentdisclosure relates to electrical circuits that serve as true randomnumber generators.

BACKGROUND OF THE INVENTION

Semiconductor integrated circuits often incorporate hundreds ofthousands of semiconductor elements on a single chip. These elements areinterconnected to perform a desired function.

One such function that may be performed by an integrated circuit chip israndom number generation. A random number generator (RNG) is a devicedesigned to generate a sequence of elements, such that the sequence canbe used as a random one. This randomness may typically be evaluated byvarious randomness test suites that measure the cryptographic strengthof the random sequence produced by the random number generator. Manycomponents used as random number generators are actually pseudorandom orotherwise cryptographically weak; they may incorporate some appearanceof randomness, but actually be revealed to have more or lesspredictability when analyzed. On the other hand, a cryptographicallystrong random number generator generates a random number sequence thatremains unpredictable despite significant analysis, so that it becomescomputationally infeasible to predict what a future bit of the randomoutput will be, even given complete specification of the random numbergenerator.

Cryptographically strong RNG's are used in cryptographic integratedcircuits for cryptographic tasks such as key generation, stream ciphers'design, and so on.

Improved methods and apparatus are desired for generating true randomnumbers with a unit that is fast, compact, and cryptographically strong.

The discussion above is merely provided for general backgroundinformation and is not intended to be used as an aid in determining thescope of the claimed subject matter.

SUMMARY

An aspect of the present disclosure is directed to an apparatus.According to one illustrative embodiment, the apparatus includes aninitial random source, and a post-processing block in communicativeconnection with the initial random source. The post-processing block isconfigured to receive signals from the initial random source, to applyone or more finite field operations to the signals to generate anoutput, and to provide an output signal based on the output via anoutput channel, in this illustrative embodiment.

Another aspect of the present disclosure is directed to a method.According to one illustrative embodiment, the method includes generatingan initial random signal with a ring oscillator. The initial randomsignal is used as a control signal to select from among a plurality ofoptional input signals. One or more finite field operations areperformed on the input signals. The result of the one or more finitefield operations is provided as an output signal, in this illustrativeembodiment.

Another aspect of the present disclosure is directed to an integratedcircuit device. According to one illustrative embodiment, the integratedcircuit device includes a ring oscillator, a multiplexer, a finite fieldmultiplication component, a finite field squaring component, and anaccumulator. The multiplexer includes two data signal inputs, a controlsignal input, and an output. The control signal input is communicativelyconnected to an output of the ring oscillator. The finite fieldmultiplication component includes first and second inputs and an output.The first input of the finite field multiplication component iscommunicatively connected to the output of the multiplexer. The finitefield squaring component includes an input and an output. The output ofthe finite field multiplication component is communicatively connectedto the second input of the finite field squaring component. Theaccumulator includes an input and an output. The input of theaccumulator is communicatively connected to the output of the finitefield multiplication component, and the output of the accumulator iscommunicatively connected to both the input of the finite field squaringcomponent, and to an output channel, in this illustrative embodiment.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter. The claimed subject matter is not limited to implementationsthat solve any or all disadvantages noted in the background.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 provides a block diagram depicting a random number generator coremodule structure, according to one illustrative embodiment.

FIG. 2 provides a flowchart illustrating a method for generating arandom number, according to one illustrative embodiment.

FIG. 3 provides a block diagram depicting an initial random source for arandom number generator, according to one illustrative embodiment.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

FIG. 1 provides a block diagram that illustrates an apparatus 100configured for generating random numbers using finite field operations,according to an exemplary embodiment of the disclosure. The apparatus100 may be embodied as an integrated circuit device, for example, whichembodies the different depicted elements on one or more integratedcircuit chips. Those elements may be connected to each other withcommunicative connections, capable of transmitting signals from onecomponent to another, such as through various inputs and outputs. Theapparatus 100 includes an initial random source 10 and a post-processingblock 20 that is in communicative connection with the initial randomsource 10 by means of the output B of initial random source 10, in thisillustrative embodiment. The initial random source 10 may be embodied asone or more ring oscillators, for example. One illustrative embodimentof an initial random source is described below with reference to FIG. 2.

Post-processing block 20 includes several components in thisillustrative embodiment, including multiplexer 12, finite fieldmultiplication component 14, finite field squaring component 16,accumulator 18, and output channel 22. Finite field multiplicationcomponent 14 and finite field squaring component 16 are illustrativeexamples of elements within post-processing block 20 that are configuredto execute finite field operations, also known as Galois fieldoperations, for example.

Multiplexer 12 includes two data signal inputs C1 and C2, and a controlsignal input connected to the output B of initial random source 10, aswell as an output which is connected to a first input 13 of finite fieldmultiplication component 14. Post-processing block 20 is therebyconfigured to communicate the output signal BM from multiplexer 12 tofinite field multiplication component 14. Besides first input 13 whichis communicatively connected to the output of multiplexer 12, finitefield multiplication component 14 also has a second input 15, and anoutput which is communicatively connected to an accumulator 18. Finitefield multiplication component 14 is configured to perform a finitefield multiplication operation on the two signals received through thetwo inputs 13 and 15 to generate a resulting output signal, and isconfigured to communicate that resulting output signal Z to accumulator18, in this illustrative embodiment.

Accumulator 18 includes both an input and an output, the input beingconnected to the output of the finite field multiplication component 14.A node connected to the output of accumulator 18 allows the outputthereof to be connected to both finite field squaring component 16 andan output channel 20. Finite field squaring component 16 is configuredto perform a finite field squaring operation, such as finite fieldsquaring of the input. Finite field squaring component 16 includes bothan input connected to the output of accumulator 18, and an output whichis connected to the second input 15 of the finite field multiplicationcomponent. The finite field multiplication component 14, finite fieldsquaring component 16, and accumulator 18 thereby form a cyclic loop,while accumulator 18 also provides its output signal to output channel20, which may convey iterations of a final random output from apparatus10. Output channel 20 may also either provide the output signal fromaccumulator 18 as is, or may perform additional end-processing steps,such as selecting a subset of bits from the output signal, such as fromthe middle thereof in one illustrative embodiment, and provide thatsubset of bits as the final random output signal. The final randomoutput signal is thus cryptographically strong, and iterations thereofmay be provided rapidly, and from a compact package, according to thepresent illustrative embodiment of apparatus 10.

The signal provided to the first input of finite field multiplicationcomponent 14 is based on the initial random source in that it isselected from among the inputs to multiplexer 12 in a selection that iscontrolled by the initial random source 10, in this illustrativeembodiment. The signal provided to the input of finite fieldmultiplication component 14 may be based on the output of the initialrandom source 10 in a wide variety of other ways in various embodiments,such as by receiving the output of initial random source 10 directly, orafter one or more prior transformations, or by receiving a signal thatis in some other way controlled by the output of the initial randomsource, in different embodiments.

Post-processing block 20 is thereby configured to receive an inputsignal BM based on the initial random source 10, using components suchas finite field multiplication component 14 and finite field squaringcomponent 16 to apply finite field operations to the input signal BM togenerate a randomized output Z, and to provide an output signal A via anoutput channel 20 wherein the output signal A is based at least in parton the randomized output Z. Output signal A is also communicated tofinite field squaring component 16 which performs a finite fieldsquaring to provide A²=A*A as its output, and A² is provided to secondinput 15 of finite field multiplication component 14. This yields acombined finite field operation for post-processing block 20, for eachiteration n of randomized signal, of a randomized output Z generatedaccording to:

Z(n+1)=BM*[A(n)]²

The function of apparatus 100 may be further illustratively demonstratedwith reference to the flowchart 200 of FIG. 2, prior to more detaileddescription of the components of apparatus 100. FIG. 2 provides aflowchart illustrating a method 200 for generating random numbers usingfinite field operations, as may illustratively be performed by apparatus100 of FIG. 1. Method 200 includes step 201, of generating an initialrandom signal, such as may illustratively be done with initial randomsource 10 of apparatus 100, for example. Method 200 further includesstep 203, of using the initial random signal as a control signal toselect from among a plurality of optional input signals, as mayillustratively be done with multiplexer 12 of apparatus 100, forexample. The plurality of optional input signals could be two optionalinput signals, as shown with the two inputs to multiplexer 12 in FIG. 1,or could include three or any higher number of optional inputs to bechosen from, in other embodiments. Method 200 also includes step 205,for performing one or more finite field operations on the input signals,such as may illustratively be performed by either or both of finitefield multiplication component 14 and finite field squaring component 16in the example of apparatus 100. Method 200 also includes step 207, forproviding an output signal based at least in part on a result of the oneor more finite field operations, such as may illustratively be performedby accumulator 18 and/or output channel 20 in apparatus 100. Whileapparatus 100 provides certain illustrative examples of hardwareelements configured to perform the steps of method 200, a wide varietyof other implementations may also be used to perform differentembodiments of method 200.

While finite field multiplication component 14 and finite field squaringcomponent 16 are depicted in FIG. 1 as illustrative examples of finitefield operation elements within post-processing block 20, differentembodiments of post-processing blocks may include only one finite fieldoperation element, or two as shown in FIG. 1, or any larger number offinite field operation elements. Such finite field operation elementsmay be configured to perform finite field operations such as finitefield addition, finite field multiplication, finite field squaring, orany other finite field operation. The signals received and generated bythe finite field operation elements may also be arranged in a widevariety of configurations in different embodiments. While theillustrative embodiment of FIG. 1 features a finite field multiplicationcomponent that provides the input to the finite field squaring element,and the finite field squaring element in turn provides its output as oneof the inputs to the finite field multiplication component, this is onlyone illustrative configuration.

Other configurations may, for example, use the outputs of one or morefinite field operation elements as inputs to a finite field additioncomponent, or to a finite field multiplication component, or to a finitefield squaring component, or to another type of finite field operationcomponent. A third, fourth, or other number of finite field operationelement may also be connected with the first two finite field operationcomponents that are depicted in FIG. 1, with the output from the secondused as an input for the third, the output from the third used as aninput of the first or of the fourth, the output of the fourth used as aninput to the first or a fifth finite field operation element, and soforth. Any of these finite field operation elements may be a finitefield addition element, a finite field multiplication element, a finitefield squaring element, or any other type of finite field operationelement. Such elements therefore contribute to configuringpost-processing block 20 for applying any of a variety of finite fieldoperations to a signal based on the initial random source. Any of a widevariety of configurations of mutually connected finite field operationelements may therefore be used to generate cryptographically strongrandom outputs, according to a variety of different embodiments.

Finite field operations are well-suited for generating acryptographically strong random output. A finite field is a field thatcontains only finitely many elements. Every finite field has p^(n)elements for some prime number p and some integer n>0, such that afinite field is denoted by GF(p^(n)) (where “GF” indicates a Galoisfield, as synonymous terminology for a finite field). In someembodiments, it is found to be practical to use p=2, rendering thefinite field as GF(2^(n)). In this case, the elements of GF(2^(n)) canbe considered as n-bit binary vectors.

Finite field operations can be efficiently embodied in hardware elementssuch as finite field multiplication component 14, finite field squaringcomponent 16, a finite field addition component (not included in theillustrative embodiment of FIG. 1), or other types of finite fieldoperation elements. As an illustrative example, a finite field additioncomponent may be embodied using bitwise addition of corresponding binaryvectors. As another illustrative example, a finite field multiplicationelement may be embodied with a circuit that includes approximately 7n²logic NAND gates and has a maximum number of logic levels ofapproximately 4 log(n). As yet another illustrative example, a finitefield squaring element that performs a finite field squaring, can beembodied using a cyclic shift of an input binary vector. Otheroperations may also be embodied in other finite field operationelements.

For example, in one illustrative embodiment, the finite field operationelements may be configured to perform finite field operations overfinite fields GF(2^(n)) where n is a prime integer between 16 and 32.There are five prime integers within that interval: 17, 19, 23, 29, and31. The finite fields would therefore each have either 2¹⁷, 2¹⁹, 2²³,2²⁹ or 2³¹ elements. Finite field operation components for operatingwith these finite fields would illustratively be embodied withapproximately 7n² logic NAND gates. Other finite field operationcomponents may also be used which could illustratively be embodied witha number of logic NAND gates that is approximate to 7n², while allowingfor a range of significant variation from that value similar, or largerstill in some cases, to the variation in the case of n being either 17,19, 23, 29, or 31. In still other examples, the finite field operationelements may also be embodied with other types of logic gates, with amixture of NAND gates and other types of logic gates, or with othermeans besides logic gates.

FIG. 3 provides additional detail for one illustrative embodiment of aninitial random source 310 which may be used as initial random source 10of apparatus 100 in FIG. 1. Initial random source 310 comprises a ringoscillator 301, along with an oscillator controller 303, in thisexemplary embodiment. Ring oscillator 301 includes a set of severalseries-connected inverters 305, in this example. While three inverters305 are depicted, this is suggestive only, and ring oscillator 301 maycontain any number of inverters. Ring oscillator 301 may also include aset of several series-connected elements of a wide variety of othertypes of elements, such as buffers, logic-OR gates, or logic-AND gates,for example.

The series of inverters 305 is connected to one input of a multiplexer307. The oscillator controller has both a data signal output 313 to theother input of multiplexer 307, and a control signal output 311 to thecontrol setting of multiplexer 307. The output 309 of multiplexer 307thereby constitutes an initial random signal from the initial randomsource 310, in this illustrative embodiment. Oscillator controller 303checks the state of ring oscillator 301, and if the initial randomsignal is not toggling over a number of cycles, such as 10 to 20 cyclesfor example, then oscillator controller 303 may set the ring oscillator301 to a new value, using the control signal via output 311 and the datasignal via output 313. This architecture enables ring oscillator 310 tobe reset to a known state or to avoid an oscillator transition to aforbidden intermediate state.

The initial random source used for different embodiments comparable toapparatus 100 of FIG. 1 may include a ring oscillator such as ringoscillator 310, or may include two or more ring oscillators, forexample, where a net initial random source is derived from the combinedoperation of multiple ring oscillators and/or other random sourcegenerators, in different embodiments. The initial random source may alsoinclude a pseudo-random source, either alone or in combination with aring oscillator or other random generator elements, in otherembodiments. For example, the pseudo-random source may illustrativelyinclude a linear feedback shift register.

A combination of initial random source and post-processing block mayalso form only some elements within a larger apparatus, for example. Anapparatus may include multiple random number generators working inparallel or some other cooperative configuration, where one or more ofthe individual random number generators may each comprise a completepackage of components such as is depicted in apparatus 100 of FIG. 1, orother comparable random number generator configurations. The overallapparatus may derive an ultimate random output based on the individualrandom outputs of two or more of the parallel random number generators,such as by selecting a set of random output bits from each of two ormore random number generator subsystems, in one illustrative embodiment.A different apparatus may also include additional elements incommunicative connection with the post-processing block 20 andconfigured to receive the output signal from the post-processing block20 and to perform one or more additional transformations of the outputsignal. These and other mechanisms may function to add furtherrobustness to the cryptographic strength of the ultimate output signalof a random number generating apparatus, according to a wide array ofdifferent illustrative embodiments.

Although the present disclosure has been described with reference to oneor more embodiments, workers skilled in the art will recognize thatchanges may be made in form and detail without departing from thedisclosure or the appended claims. As one illustrative example, it isrecognized that components that may be described in a particularembodiment may be equivalently provided in one single integrated circuitchip, or with components distributed over two or more integrated circuitchips, or with some or all elements distributed over other types ofcircuits, computing device elements, and other hardware and softwareresources. As another illustrative example, it is well understood thatany instance of an element being described “illustratively” or as an“illustrative example” means in part that it refers to just one possibleembodiment out of a wide variety of other embodiments with otherconfigurations that differ from those explicitly described herein, butthat will be understood by those skilled in the art to also lie withinthe scope of the subject matter defined by the appended claims. Asanother illustrative example, method steps described above may beperformed by one or more integrated circuit chips, or with one or moreor all of the method steps performed on other types of hardware orsoftware elements.

Many other variations among different embodiments may also be madewithin the metes and bounds of the subject matter described by thepresent disclosure and defined by the claims recited below.

1. An apparatus comprising: an initial random source; and apost-processing block in communicative connection with the initialrandom source, where the post-processing block is configured to receivean input signal selected based on the initial random source, to applyone or more finite field operations to the input signal to generate arandomized output, and to provide an output signal via an output channelwherein the output signal is based at least in part on the randomizedoutput.
 2. The apparatus of claim 1, wherein the one or more finitefield operations the post-processing block is configured to apply to theinput signal comprise at least one operation selected from among a groupconsisting of: finite field addition, finite field multiplication, andfinite field squaring.
 3. The apparatus of claim 2, wherein the one ormore finite field operations the post-processing block is configured toapply to the input signal further comprise at least one additionaloperation selected from among: finite field addition, finite fieldmultiplication, and finite field squaring.
 4. The apparatus of claim 3,wherein the one or more finite field operations the post-processingblock is configured to apply to the input signal comprise both finitefield multiplication and finite field squaring.
 5. The apparatus ofclaim 1, wherein the one or more finite field operations thepost-processing block is configured to apply to the input signalcomprise finite field operations over a Galois field of a prime numberto the nth power, where n is a prime integer.
 6. The apparatus of claim5, the post-processing block is further configured such that n isselected from a group consisting of: 17, 19, 23, 29, and
 31. 7. Theapparatus of claim 5, wherein the prime number is
 2. 8. The apparatus ofclaim 1, wherein the post-processing block is further configured toprovide the output signal as a subset of bits from the randomizedoutput.
 9. The apparatus of claim 1, wherein the initial random sourcecomprises a ring oscillator.
 10. The apparatus of claim 9, wherein thering oscillator comprises a plurality of series-connected elements,wherein the elements comprise at least one element type selected from agroup consisting of: inverters, buffers, logic-OR gates, and logic-ANDgates.
 11. The apparatus of claim 9, wherein the initial random sourcecomprises a plurality of ring oscillators.
 12. The apparatus of claim 1,wherein the initial random source comprises a pseudo-random source. 13.The apparatus of claim 12, wherein the pseudo-random source comprises alinear feedback shift register.
 14. The apparatus of claim 1, whereinthe initial random source and the post-proces sing block are comprisedin a first random number generator, wherein the apparatus furthercomprises one or more additional random number generators operating inparallel to the first random number generator, wherein the apparatus isconfigured such that the output signal comprises random bits from eachof the first random number generator and the one or more additionalrandom number generators.
 15. The apparatus of claim 1, furthercomprising one or more additional elements in communicative connectionwith the post-processing block and configured to receive the outputsignal from the post-processing block and to perform one or moreadditional transformations of the output signal.
 16. A methodcomprising: generating an initial random signal; using the initialrandom signal as a control signal to select from among a plurality ofoptional input signals; performing one or more finite field operationson the input signals; and providing an output signal based at least inpart on a result of the one or more finite field operations.
 17. Themethod of claim 16, wherein the finite field operations comprise one ormore operations selected from among a group consisting of: finite fieldaddition, finite field multiplication, and finite field squaring.
 18. Anintegrated circuit device comprising: a ring oscillator; a multiplexercomprising two data signal inputs, a control signal input, and anoutput, where the control signal input is communicatively connected toan output of the ring oscillator; a finite field multiplicationcomponent comprising first and second inputs and an output, wherein thefirst input of the finite field multiplication component iscommunicatively connected to the output of the multiplexer; a finitefield squaring component comprising an input and an output, wherein theoutput of the finite field squaring component is communicativelyconnected to the second input of the finite field multiplicationcomponent; and an accumulator comprising an input and an output, whereinthe input of the accumulator is communicatively connected to the outputof the finite field multiplication component, and the output of theaccumulator is communicatively connected to both the input of the finitefield squaring component, and to an output channel.
 19. The integratedcircuit device of claim 18, wherein the finite field multiplicationcomponent is configured to multiply over a finite field of 2 to the nthpower, where the finite field multiplication component comprisesapproximately 7n² logic NAND gates.
 20. The integrated circuit device ofclaim 18, wherein the finite field squaring component is configured toperform a cyclic shift of an input binary vector.